b'April 19, 2010\n\nROSS PHILO\nEXECUTIVE VICE PRESIDENT AND CHIEF INFORMATION OFFICER\n\nTHOMAS G. DAY\nSENIOR VICE PRESIDENT, INTELLIGENT MAIL AND ADDRESS QUALITY\n\nSUBJECT: Audit Report - Network Security Assessment of the National\n         Customer Support Center (Report Number IS-AR-10-007)\n\nThis report presents the results of our self-initiated network security assessment of the\nNational Customer Support Center (NCSC) (Project Number 09RG030IS000). Our\nobjective was to determine whether network security controls implemented at the NCSC\nand associated sites adequately provide for the confidentiality, integrity, and availability\nof U.S. Postal Service information resources. This audit addresses operational risk. See\nAppendix A for additional information about this audit.\n\nThe NCSC supports the Intelligent Mail program and Address Quality function for the\nPostal Service. The facility\xe2\x80\x99s mission is to support the Postal Service with an address\nquality database, a change of address system, and customer address products to\nfacilitate the timely and cost-effective coding, sorting, and delivery of the mail.\n\nConclusion\n\nNetwork security controls in place at the NCSC may not adequately provide for the\nconfidentiality, integrity, and availability of Postal Service information resources.\nManagement can improve information security by implementing patch and configuration\nmanagement processes, upgrading and patching database software, and reviewing\nserver configurations to ensure compliance with Postal Service hardening standards.\nBased on our audit results, management began remediating patch and configuration-\nrelated vulnerabilities during the audit.\n\nOperating System and Database Server Vulnerabilities\n\nAdministrators did not patch consistently or configure correctly the operating system\nand database environments. We xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nXxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx The operating system vulnerabilities existed,\nbecause administrators relied on ineffective vulnerability assessments rather than a\n\x0cNetwork Security Assessment of                                                                         IS-AR-10-007\n the National Customer Support Center\n\n\nproactive patch and configuration management process to identify and remediate\nmissing patches and configuration issues. The database vulnerabilities existed,\nbecause administrators did not upgrade to a version of the Oracle\xc2\xae database software\nrequired to apply the patches. Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx1 xxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx See\nAppendix B for our detailed analysis of this topic.\n\nWe recommend the senior vice president, Intelligent Mail and Address Quality, direct\nthe manager, Address Management, to:\n\n1. Utilize the Postal Service patch and configuration management processes to identify\n   and remediate missing patches and configuration issues.\n\n2. Upgrade the Oracle database software and remediate the patch-related\n   vulnerabilities.\n\n3. Periodically review server configurations to ensure servers comply with applicable\n   Postal Service hardening standards.\n\nWeb Server Vulnerabilities\n\nAdministrators did not harden2 a publicly accessible web server that supports xxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx3x.\nSpecifically, we identified one xxxxxxxxxxxxxxxxxx4xxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxx.5 Administrators did not identify these vulnerabilities, because\nthey did not configure the vulnerability management software to xxxxxxxxxxxxxxxxx\nxxxx. According to Postal Service policy,6 information resources supported by\nnetworking must be hardened to meet or exceed the requirements documented in\nPostal Service hardening standards specific to each platform. xxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx7) xxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.8 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxx9 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n\n1\n  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n2\n  Hardening refers to the process of implementing additional software and hardware security controls.\n3\n  The Postal Service and its mailers use MITS. It contains mail-related products and service information as well as a\nmailer feedback tool.\n4\n  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.\n5\n  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.\n6\n  Handbook AS-805, Information Security, Section 11-3.6, Implementing Hardening Standards, dated November\n2009.\n7\n  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.\n8\n  Handbook AS-805, Section 10-3.1 (j), Software Safeguards.\n\n\n\n\n                                                          2\n\x0cNetwork Security Assessment of                                                                IS-AR-10-007\n the National Customer Support Center\n\n\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx This data includes\ninformation related to xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxx. Prompted by our audit, administrators modified the application to\nremove the xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx. Therefore, we are not making a\nrecommendation to remediate those specific issues.\n\nWe recommend the senior vice president, Intelligent Mail and Address Quality, direct\nthe manager, Address Management, to:\n\n4. Configure existing vulnerability management software to assess xxxxxxxxxx\n   xxxxxxxxxxxxx as required.\n\nManagement\xe2\x80\x99s Comments\n\nManagement agreed with the findings and recommendations. In response to\nrecommendations 1 through 3, management will coordinate with the Corporate\nInformation Security Office (CISO) to develop and implement a patch management\nprocess and standardize NCSC systems with Postal Service hardening standards.\nManagement implemented a formal patch and configuration review process to ensure\nall servers continue to comply with Postal Service requirements. This policy is the\ninterim methodology intended to keep NCSC systems at the appropriate revision level\nand compliant with Postal Service hardening standards. The target completion date for\nrecommendations 1 and 3 is September 30, 2010. The target completion date for\nrecommendation 2 is September 1, 2010.\n\nIn response to recommendation 4, management coordinated with the CISO to verify the\nconfiguration of the vulnerability management software to ensure it performs web server\nassessments according to Postal Service policy. Management completed its proposed\naction and requests closure of this recommendation. See Appendix C for\nmanagement\xe2\x80\x99s comments in their entirety.\n\nEvaluation of Management\xe2\x80\x99s Comments\n\nThe OIG considers management\xe2\x80\x99s comments responsive to the recommendations and\ntheir corrective actions should resolve the issues identified in the report.\n\nOther Matters \xe2\x80\x93 Network Security\n\nWe identified xxxxxxxxxxxxxxxxxxxxxxxxxxxxx that could allow an unauthorized person\nto access the NCSC network. When notified, management took corrective action to\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n\n\n9\n    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.\n\n\n\n\n                                                      3\n\x0cNetwork Security Assessment of                                                IS-AR-10-007\n the National Customer Support Center\n\n\nxxxxxxxxxxxxxxx. Management also updated employee departure procedures to reflect\nthe requirement to deactivate network connections when an employee or contractor\ndeparts the organization. As a result, we are not making a recommendation to address\nthis network security issue.\n\nThe OIG considers recommendation 1 significant and, therefore, requires OIG\nconcurrence before closure. Consequently, the OIG requests written confirmation when\ncorrective action is completed. This recommendation should not be closed in the Postal\nService\xe2\x80\x99s follow-up tracking system until the OIG provides written confirmation that the\nrecommendation can be closed.\n\nWe appreciate the cooperation and courtesies provided by your staff. If you have any\nquestions or need additional information, please contact Frances E. Cain, director,\nInformation Technology, or me at 703-248-2100.\n\n\n   E-Signed by Darrell E. Benjamin, Jr\n   VERIFY authenticity with ApproveIt\n\nDarrell E. Benjamin, Jr.\nDeputy Assistant Inspector General\n for Revenue and Systems\n\nAttachments\n\ncc: John T. Edgar\n    Deborah J. Judy\n    Charles L. McGann\n    James D. Wilson\n    Sally K. Haring\n\n\n\n\n                                            4\n\x0cNetwork Security Assessment of                                                    IS-AR-10-007\n the National Customer Support Center\n\n\n                        APPENDIX A: ADDITIONAL INFORMATION\n\nBACKGROUND\n\nThe NCSC, located in xxxxxxxxx, is a customer support and software engineering\nfacility that supports the Intelligent Mail program and Address Quality function for the\nPostal Service. Specifically, the NCSC supports applications that facilitate the National\nChange of Address and Address Information System Product Fulfillment systems. The\nfacility\xe2\x80\x99s mission is to support the Postal Service with a quality address database, a\nchange of address system, and customer address products to facilitate the timely and\ncost-effective coding, sorting, and delivery of the mail. In fiscal year 2009, NCSC\nproducts and services generated more than $100 million in revenue for the Postal\nService.\n\nOBJECTIVE, SCOPE, AND METHODOLOGY\n\nOur objective was to determine whether network security controls implemented at the\nNCSC and associated sites adequately provide for the confidentiality, integrity, and\navailability of Postal Service information resources. To achieve our objective, we\nperformed network security assessments using industry-accepted automated software\ntools and manual reviews to identify known high-risk vulnerabilities. In addition, we\nperformed a limited review of physical security.\n\nWe performed our assessment from November 30 through December 11, 2009, and\nlimited our review to xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx residing\non eight subnets assigned to the NCSC. We interviewed key officials and reviewed\napplicable Postal Service policies, standards, and procedures. We used manual and\nautomated techniques to analyze computer-processed data and concluded the data\nwere sufficiently reliable to meet the report objectives. We provided management with\ndetailed results on January 22, 2010.\n\nWe conducted this performance audit from September 2009 through April 2010 in\naccordance with generally accepted government auditing standards and included such\ntests of internal controls as we considered necessary under the circumstances. Those\nstandards require that we plan and perform the audit to obtain sufficient, appropriate\nevidence to provide a reasonable basis for our findings and conclusion based on our\naudit objective. We believe the evidence obtained provides a reasonable basis for our\nfindings and conclusions based on our audit objective.\n\nPRIOR AUDIT COVERAGE\n\nThe OIG did not identify any prior audits or reviews related to the objective of this audit.\n\n\n\n\n                                              5\n\x0cNetwork Security Assessment of                                                                 IS-AR-10-007\n the National Customer Support Center\n\n\n                              APPENDIX B: DETAILED ANALYSIS\n\nOperating System and Database Server Vulnerabilities\n\nThe Postal Service requires a patch management process to control the deployment\nand maintenance of software releases and to resolve known security vulnerabilities.10\nAdditionally, administrators must manage changes to information resources and\nconfigurations to ensure resources are not inadvertently exposed to unnecessary risk\nand vulnerabilities.11 Further, system administrators must harden hardware and system\nsoftware to comply with Postal Service information security requirements.12\n\nOperating Systems\n\nFor the xx operating systems included in our review, we identified xxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx as detailed in the\nfollowing table:\n\n        Operating                          Systems With At Least          Unique High-Risk\n                             Number\n         System                                One High-Risk               Patch Related\n                            Assessed\n      Environment13                             Vulnerability              Vulnerabilities\n         xxxxxxx                xx                   xx                         xxx\n          xxxxx                  x                   x                           xx\n          xxxxx                 xx                  xxx                          xx\n          Total                 xx                  xxx                         xxx\n\n We aged each missing operating systems patch according to the date the operating\n system\xe2\x80\x99s vendor made the most recent patch publicly available. As displayed in the\n following tables, vendors made a patch available to remediate 70 percent of the\n Windows and 63 percent of the xxxxxxxxxxxxxxxxxxxxxxxxx vulnerabilities at least\n 1 year before December 15, 2009, the date we completed our automated assessment.\n\n                                  xxxxxxx Patch Aging Schedule\n                                 Age         Number     Percentage\n                              < 30 Days          3           2%\n                            31 \xe2\x80\x93 180 Days       33          18%\n                           181 \xe2\x80\x93 365 Days       19          10%\n                             > 365 Days        131          70%\n                                                  14\n                                Total         186          100%\n\n\n\n10\n   Handbook AS-805, Section 8-2.4, Configuration and Change Management.\n11\n   Handbook AS-805, Section 8-2.4.3, Change and Version Control.\n12\n   Handbook AS-805, Section 8-2.4.2, Configuration Hardening Standards.\n13\n   The operating system environment includes operating system and third-party application vulnerabilities.\n14\n   xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxx.\n\n\n\n\n                                                     6\n\x0cNetwork Security Assessment of                                                              IS-AR-10-007\n the National Customer Support Center\n\n\n\n                                xxxxxxxxxx Patch Aging Schedule\n                                Age          Number      Percentage\n                             < 30 Days          1             1%\n                           31 \xe2\x80\x93 180 Days       23            18%\n                          181 \xe2\x80\x93 365 Days       23            18%\n                            > 365 Days         81            63%\n                                                  15\n                               Total          128           100%\n\nIn addition, we identified:\n\n     \xef\x82\xa7   Two xxxxxx systems with xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx16 xxxxxxxx.\n     \xef\x82\xa7   Five xxxxxxx systems with xxxxxxxxxxxxxxxxxxxxxxxxx.\n     \xef\x82\xa7   Twenty-six systems xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.\n     \xef\x82\xa7   Three xxxx systems xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.\n     \xef\x82\xa7   One xxxxx system xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.\n     \xef\x82\xa7   One system xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.\n     \xef\x82\xa7   Sixty-two xxxxxxx operating systems that were xxxxxxxxxxxxxxxxxxxxxxx\n         xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n         xxxxxxxxxxxxx.\n     \xef\x82\xa7   xxxxxxxxxx operating systems xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n         xxxxxxx.\n     \xef\x82\xa7   Five systems allowed xxxx17 xxxxxxxxxxxxxxxxxxxxxxxxxxxxx.\n     \xef\x82\xa7   Four xxxx operating systems xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n         xxxxxxxxxxxxxxxxxxxxxxxxxxxx.\n     \xef\x82\xa7   Overall, we identified xx configuration-related vulnerabilities, as shown in the\n         following table.\n\n                                                          Unique High-Risk\n                       Operating         Number\n                                                        Configuration Related\n                        System          Assessed\n                                                           Vulnerabilities\n                        xxxxxxx             xx                   xxx\n                          xxxx               x                     x\n                         xxxxx              xx                    xx\n                         Total              xx                   xx\n\n\n\n\n15\n   xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxx.\n16\n   xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.\n17\n   xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.\n\n\n\n\n                                                   7\n\x0cNetwork Security Assessment of                                              IS-AR-10-007\n the National Customer Support Center\n\n\nDatabases\n\nWe reviewed five Oracle database servers and identified the following xx unique\nhigh-risk vulnerabilities.\n\n   \xef\x82\xa7   xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.\n   \xef\x82\xa7   xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n       xxxxxxx.\n\nWe also identified:\n\n   \xef\x82\xa7   xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.\n   \xef\x82\xa7   xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.\n   \xef\x82\xa7   xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n       xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n       xxxxxxxxxxxxxxx.\n\n\n\n\n                                           8\n\x0cNetwork Security Assessment of                                 IS-AR-10-007\n the National Customer Support Center\n\n\n                           APPENDIX C: MANAGEMENT\xe2\x80\x99S COMMENTS\n\n\n\n\n                                        9\n\x0cNetwork Security Assessment of               IS-AR-10-007\n the National Customer Support Center\n\n\n\n\n                                        10\n\x0cNetwork Security Assessment of               IS-AR-10-007\n the National Customer Support Center\n\n\n\n\n                                        11\n\x0cNetwork Security Assessment of               IS-AR-10-007\n the National Customer Support Center\n\n\n\n\n                                        12\n\x0cNetwork Security Assessment of               IS-AR-10-007\n the National Customer Support Center\n\n\n\n\n                                        13\n\x0cNetwork Security Assessment of               IS-AR-10-007\n the National Customer Support Center\n\n\n\n\n                                        14\n\x0cNetwork Security Assessment of               IS-AR-10-007\n the National Customer Support Center\n\n\n\n\n                                        15\n\x0c'